Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Very desperate, can't remove highly sophisticated rootkit.


  • Please log in to reply
6 replies to this topic

#1 sentience

sentience

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 26 April 2014 - 03:30 AM

I am not a security expert, so anything I say below might not be 100% correct or accurate. I just want to apologize in advance should I end up badly abusing terminology.
 

I have detached nearly every component in my rig, all USB devices, unnecessary SATA devices, flashed my BIOS, reset CMOS, wrote zeros to my drives, etc. It will just not go away no matter what I do. I am currently writing this from a Parted Magic liveCD with no hard drive attached to the computer.

 

I'm getting increasingly more desperate as I earn a living as a graphic designer and I have no viable way to make income while this thing continues to ruthlessly infect my systems.
 

It all started when I noticed Windows acting strangely a couple weeks ago. These include various small issues like:

1. Laggy screen redraw/paint speed with no applications running and classic mode set to "high performance" despite having a very powerful computer and two GTX580's in SLI.
2. Strange events showing up in the event log - large amounts of CAPI2 and cryptography related functions failing and throwing errors
3. GMER output showing modifications to svchost.exe and a few other native windows processes
4. Several other quirks / symptoms with google searches and web browsing that indicated DNS was being tampered with
5. Nmap and netstat revealing several ports open that definitely should not be on several computers in my house, Wireshark showing encrypted packets being sent from said ports

I began by formatting my HD, recreating the partition table, and reinstalling windows. To my disbelief, despite the fact I was using original media directly from Microsoft, windows installed and automatically attached me to a domain, and loaded several non-default security policies. Firefox showed NT style 404 pages. My fresh install of Windows 7 was behaving like a PXE style Windows NT install. Certificates and crypto related functions were also heavily tampered with, leaving several hundred errors with CAPI2 in the event log. At this point, I knew that something extremely strange was going on.

I then went on to burn Linux LiveCDs like Parted Magic / Deft as well as several other various antivirus CDs, but it became increasingly more apparant that  the infection is highly OS/platform independent. It doesn't matter if I am running completely in RAM either. Infection is identical even with all obvious external non-volitile storage disconnected (HDs, DVDRW, etc). I flashed my BIOS several times as well. Unfortunately the BIOS flash completes in an unrealistically short amount of time (I.E. instantly), leading me to believe that it's not actually flashing the real BIOS, but a virtualized BIOS. Payloads are automatically created and delivered via a poisoned squashfs filesystem on Linux, (corrupted grub, efiboot.img, initrd, pxelinux, etc)  and some kind of WinPE flavored hack on a Windows installation that I'm sure uses a variety of exploits to transform a normal install into a tainted PXE install. The BIOS also indicates a microcode patch on my i7, I'm not sure if this is normal or a byproduct of the rootkit. 

It's also managed to worm its way into my fiances brand new Macbook Pro as well. She now has an irremovable "Remote CD" showing up in finder along with several hundred other oddities when I do a simple ps -Al in terminal/bash. I also suspect some kind of GPU paravirtualization going on - despite having two GTX580 3gb cards in SLI, screen redraw remains extremely slow and laggy. With TCPview in windows I was able to spot a transient connection (it appeared and then dissappeared in a matter of 1-3 seconds) to a remote IP with a resolved name that included "HyperV" - I can't remember the exact name, but it obviously leads me to suspect some kind of Hypervisor related virtualization. This was without any browser windows open.
 

The infection seems to spread very easily via USB. While trying to create a clean liveCD from another computer, I simply plugged in a mouse that I had lying around (which at one point connected to my infected PC) into a clean PC, and it instantly installed 4 separate USB drivers along with its payload (whatever that may be) and the infection began once again. After reboot the BIOS itself was virtualized (I think) and the computer was essentially toast and acted identically to the infected machine. So this indicates to me that it is aggressively flashing any kind of firmware it can.
 

Anyway, the reason I'm posting here is simply because I'm extremely desperate for a solution to rid myself of this. I realize that most posts on bleeping computer tend to deal with less sophisticated infections than this, I guess I am just hoping there is someone out there that can shed some light on this as I just quite simply don't have any idea what to do. I've never encountered an infection as sophisticated and persistent as this (OS independent bare metal virtulization), and I just want to be able to work again.

I'm at a complete loss as to how to remove this - I suspect that I will have to re-flash all non volatile storage simultaneously, but with limited development knowledge, little knowledge of Linux, and an unfamiliarity of low level hardware/software processes, this sounds like an impossibly huge and frustrating mountain to climb (It's taken me a few weeks just to figure out a fraction of what's even happening). If I didn't have thousands of dollars worth of hardware (this is a brand new custom rig), discarding everything would be an easier pill to swallow, but I just can't bring myself to accept that as a solution, especially since I'm in a pretty bad financial situation as it is, and my livelyhood depends on me having a functional computer to work on.
 

I have binaries that have been captured from this infection as well as various logs if anyone here can take a look. I am also more than happy to provide samples, I would just caution anyone that running them could be very dangerous as I'm pretty certain the payload is VM aware. I can easily induce the infection in Linux and Windows by booting via liveCD or my windows disk and run any kind of application or tool if asked. By looking at the poisoned image that is mounted in linux, it's easy to distinguish the tainted files by looking at modification timestamps.

Even just a positive identification of this rootkit would be a tremendous help to me so I know where to start. I just want to know if there anything I can do that doesn't involve throwing away over $6000 worth of hardware. :(
 

Thanks much for any kind of information / help.


Edited by sentience, 26 April 2014 - 03:31 AM.


BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:08:09 AM

Posted 26 April 2014 - 06:07 AM

This area is to assess if you are infected, but that seems to not apply to you -

 

If you are sure there is already an infection on that computer, then please post directly to the Experts area.

 

Please follow the instructions in THIS PREP GUIDE starting at Step #6.

Copy and paste the 2 DDS logs (if you can) and follow any other directions given.

NOTE - If you cannot complete a step, skip it and continue.

 

 Once the proper DDS logs are created, then make a NEW TOPIC and post it to =>
Virus, Trojan, Spyware, and Malware Removal Logs area -

 

They can use other tools to find the problem that we can not use in this area.

 

If HelpBot replies, please follow its Step #1 and the team will be notified.

 

Tell us when you post the new topic so we can close this one and only let the Experts fix your problem.



#3 Aussietecho

Aussietecho

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 July 2014 - 10:48 AM

Fellow SMB owner I have the same rootkit and associated infections!! Infected at around the same time too!

#4 Aussietecho

Aussietecho

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 19 July 2014 - 11:02 AM

Hi I am actually an IT engineer who has also been hit by this exact rootkit. I have observed the exact symptoms you are describing. My entire network is infected including networking peripherals. Firmware has been modified across the board in most cases or totally reflashed. Flashing bios even physically taking out the battery has no effect. Will not allow boot to an clean boot image will crash boot if it can't inject itself in the boot process.

I have never seen anything like it before in my life it's unbelievably infectious using several worms I believe to deliver payloads which force a windows update from a Cnc server or other infection source. It wardrives automatically via Bluetooth or any other connection it can obtain in "headless mode" which I basically read all about in an XML spec sheet in the infected squash fs like you said you can see a lot more under linux live cds (infected even) than within windows. The boot process of a linux live cd is attacked at least 30 odd times in an attempt to redirect the boot process or 'update the kernel'. The funny thing is it's really quiet and stealthy if you don't fight it or actively try to remove it. But the infection downloads upgrade packages and the more you fight the more advanced it gets. It has tricked one laptop into thinking it's in the Ukraine and Google and most web locations seem to agree. It actively hacks and sniffs all network traffic in order to get access then control it via a loop back address redirection.

I am working out a secure method of uploading some tool logs currently but I am not even risking email not from my iphone. This rootkit has possibly permantly rooted my Samsung S5 and Samsung Galaxy Note 3 along with many other prices of hardware that maybe forever compromised. Please let me know if bleeping computer are able to help you at all

#5 Kriss801

Kriss801

  • Members
  • 1 posts
  • OFFLINE
  •  

Posted 28 October 2014 - 06:05 PM

I just got hit too firmware flashed across the board..even bare bones linux live gets attacked during boot & tried to load usb firmware virus. Please tell me you've solved this?..

#6 r3almode

r3almode

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:09 PM

Posted 09 September 2015 - 03:41 PM

Hello

             I am sorry you got infected. Let me explain how to fix your problem. I am confident if you

do this you will win. The malware you are fighting is most likely an INT 13 HANDLER replacement

which you will recognize as a BOOTKIT. It hijacks the grub bootloader and from that point on resides in two primary places plus one more secondary hiding spot. It may sound complicated but the truth is, its quite a simple peice of work. The devastation it causes on the other hand....   corrosive to the Human

species and a blight on our internet.

 

 

FIX:  obtain latest version of any linux distribution that uses the UNION FILE SYSTEM

 

I suggest INX (  is not X :)     that is the name of the distribution my friend

 

 

You see,  the delivery vector for the bug is a VBIOS modification bundle. So ask yourself

How do I strike early - as in the queens gambit chess offense against this poison...?

 

By booting in a way way which does not rely on any video bios at all. Boot parameter must include

 

               vga=791  toram        just like that my friend.

 

       This will block the effects of the remote debugger for THAT SESSION.

 You MUST then immediately purge the SMRAM by booting to a GENTOO live system rescue disc

and selecting MEMTEST FAILSAFE. Let the memtest run until its mode changes to "W"

Can you guess what the W stands for? If you chose "WIN"  you'd be right! Actually its for "WIPE"

which is a more accurate description for what youd be doing after.....  thats what i think of irresponsible hackers. Its time someone put this thing in a choke hold. And your the guy to do it now. After you do this you need to boot from the closest thing you can get to a factory hologram resinstallation of your OS disc. This will eliminate the bug for good. Do not be sad if you accidentally reinfect your boxxen because you inserted a usb from one still infected machine to the clean one. Its just part of the learning process. Hackers depend primarily on mental laziness to acheive their goals. So get cleaned up,  get your tools and do this thing. And then donate five bucks to this website. These guys have been around since I was a kid, Their tools and skills have made me look good in front of customers more times than I can count. They deserve some real respect.

 

you follow r3almode right? :)

 

          Good luck -

  Nil Magnum Nisi Bonum

         Augusta PC.NET

                                                           -r3almode


Edited by r3almode, 09 September 2015 - 03:51 PM.


#7 markreflex

markreflex

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:09 PM

Posted 10 September 2015 - 03:11 PM

Run Hitman Pro. The best malware killer and remover. Register email for a trial to remove infections. 

 

link http://www.surfright.nl/en/hitmanpro






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users